Cybercriminals group “Orange” publicly leaked around 500,000 usernames and passwords of the Fortinet VPN users from as many as 74 different countries. The disclosed credentials are associated with FortiGate SSL-VPN devices and it is estimated that approximately 87,000 devices from all around the world were affected.
The attacker can utilize these credentials to allow them to access the network to execute malicious activities such as malware installation, data theft, and Ransomware attacks.
The hackers claimed that many VPN credentials are still valid even this exploited Fortinet vulnerability (CVE-2018-13379) is already patched by the company way before.
Must Read | Ransomware Attack hits Accenture, Hackers Threaten to Release Data on Dark Web.
Hackers Published Fortinet Credentials for Free on New Dark Web Hacking Forum “RAMP”:
Hacking group “Orange” leaked the Fortinet usernames and passwords on the recently launched Russian-speaking cybercrime hacking forum “RAMP” and also in a Ransomware gang’s “Groove” data leak site.
RAMP is formed when Orange partnered with Groove, after breaking off ties with previous partner “Babuk” ransomware gang that attack Washington D.C. Metropolitan Police Department in May 2021 and demanded a ransom of $4 million USD in exchange for the decryption key.
Threat actors also leaked the data on the Groove website when they post the same in RAMP hacking forum. The leaked files were hosted on the same Tor storage server which is utilized by Groove gang to host theft files and perform their ransomware attack operations.
The reason behind revealing the huge data set is yet unknown, but cyber security researchers theorized that to promote new business operations, Orange group intentionally disclosed almost 500,000 passwords to draw attention and recruit more threat actors to their gang.
Must Read | What is Ransomware Attack? | How Ransomware malware gains access to devices | Mitigation steps to prevent it | Click Here | Ransomware Attack – How to Prevent and Protect?
Fortinet Response on the Disclosure of FortiGate SSL-VPN Credentials:
Fortinet, a cybersecurity solutions provider gave an official statement that they are aware of the leaking of their user’s credentials freely on the RAMP hacking forum. They added that these huge login credentials data were stolen when multiple vulnerabilities were unpatched in the Fortinet FortOS against CVE-2018-13379.
Here is the Fortinet official blog post on the leaked VPN credentials – Malicious Actor Discloses FortiGate SSL-VPN Credentials.
CVE-2018-13379 is related to the Path Traversal Vulnerability in FortiOS SSL VPN web portal that permits cybercriminals to read system and session files that contain usernames and passwords stored in plain text via malicious HTTP resource requests.
This vulnerability also emerges as one of the Top most Exploited Flaws in 2020.
Though Fortinet already released a security update fix in May 2019 for this security loophole, but they warned if the passwords were not reset, they remain vulnerable to exploitation.
This incident is related to an old vulnerability resolved in May 2019. At that time, Fortinet issued a PSIRT advisory and communicated directly with customers. And because customer security is our top priority, Fortinet subsequently issued multiple corporate blog posts detailing this issue, strongly encouraging customers to upgrade affected devices. In addition to advisories, bulletins, and direct communications, these blogs were published in August 2019, July 2020, April 2021, and again in June 2021.
Fortinet Official Statement
India Tops in the List of Leaked Fortinet VPN Credentials:
The huge breach data set contains a list of 799 directories which are reported of 498,908 users of top companies related to 87,000 VPN connections devices spanning across over 74 different countries.
India tops in the list of the largest share of credentials following next by Taiwan, Italy, France, Mexico Israel, and Brazil. Out of 22,500 victims, 2,959 are US entities based on the location of the IP addresses.
Recommendations and Mitigations Steps for the Leaked FortiNet VPN Credentials:
Fortinet company also recommended and suggested mitigation steps to follow on this leaked usernames and passwords of the VPN devices in their official security blog page.
They advised the companies to first disable all the VPN connections immediately and upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above for the latest security patch.
Also, they strongly recommend performing a forced reset of all user passwords after upgrade as the devices will still be vulnerable post upgrade if their user’s credentials are previously compromised.
Below are the Fortinet recommended steps to be followed for the security measures:
- Disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken.
- Immediately upgrade affected devices to the latest available release.
- Treat all credentials as potentially compromised by performing an organization-wide password reset.
- Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future.
- Notify users to explain the reason for the password reset and monitor services such as HIBP for your domain. There is the potential that if passwords have been reused for other accounts, they could be used in credential stuffing attacks.
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.